offensive-initial-access

# SKILL: Modern Initial Access

## Metadata
- **Skill Name**: initial-access
- **Folder**: offensive-initial-access
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/initial-access.md

## Description
Initial access techniques checklist: phishing (spear/smishing), credential stuffing, exposed service exploitation, supply chain attacks, watering hole, VPN/RDP brute force, public-facing application exploitation. Maps to MITRE ATT&CK TA0001. Use when planning initial access phases of red team engagements.

## Trigger Phrases
Use this skill when the conversation involves any of:
`initial access, phishing, spear phishing, credential stuffing, exposed service, supply chain, watering hole, VPN brute force, RDP attack, MITRE TA0001, initial foothold`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Modern Initial Access

## Introduction

### Typical Initial Access Vectors

- Email with malware attached/linked
  - Most attacks using attached malware won't work
  - Out of the box protection may not cover `PDF, ISO, IMG, HTML, SVG, PPTM, PPSM, ACCDE`
  - Most URL-based attacks do work
  - domain's reputation, age, category should be sound
  - domain should use https
  - limit number of GET elements and their names
  - use HTML Smuggling to evade
  - get your domain warmed up (send some legitimate emails first with no attachment and links)
  - Advanced attacks may involve delivering backdoored trusted applications (e.g., older Electron apps with V8 exploits) via phishing to bypass application control like WDAC.
- Spear-phishing/ phishing / stealing valid credentials
  - Check your mail with [Phishious](https://github.com/CanIPhish/Phishious) before sending it to your victim
  - use [decode-spam-headers](https://github.com/mgeeky/decode-spam-headers) to analyze returned SMTP headers
  - Be aware that default Microsoft Office settings now block macros in files downloaded from the internet (marked with `MOTW`). Success often requires significant social engineering to convince users to bypass these protections or using alternative delivery methods (e.g., containers that don't propagate `MOTW`, signed add-ins).
  - images and link increase spam score, be wary of it
  - don't use `no-reply` like usernames
  - send through `GoPhis -> AWS SOCAT :587 -> smtp.gmail.com -> @target.com`
  - link to websites on trusted domains, like cloud-facing resources
  - make sure your webserver blocks automated bots
- Deep‑fake voice or video social‑engineering calls (help‑desk or executive impersonation) to obtain password resets or approve MFA prompts. Generative‑AI tools make cloning voices trivial.
- Business Email Compromise (BEC) / OAuth consent phishing that targets finance or vendor‑portal users, yielding cloud‑token access even where MFA is enabled.
- Malicious OneNote `.one` attachments and OneDrive "Add to Shortcut" abuse: embedded HTA/JS payloads bypass Office macro blocking and spread via cloud sync.
- Excel blocks untrusted Internet-origin XLL add-ins by default (M365, 2023+). Smuggled XLLs inside containers may still be blocked once MOTW propagates.
- Malicious browser extensions (Chrome, Edge, Firefox) delivered through fake Web Store listings; hijack session cookies or inject scripts into authenticated SaaS sessions.
- attackers register malicious cloud apps and trick users into granting scopes, giving token-based access that bypasses MFA
- Reusing stolen credentials against external single factor VPN, gateways, etc
- Password Spraying against Office365, custom login pages, VPN gateways
- Exposed RDP with weak credentials and lacking controls
- Unpatched known vulnerable perimeter device, application bugs, default credentials, etc
- Rarely HID-emulating USB sticks
- WiFi Evil Twin -> Route WPA2 Enterprise -> NetNTLMv2 hash cracking -> authenticated network access -> Responder
- Plugging into on-premises LAN -> Responder/mitm6/Ldaprelayx
- SEO poisoning / paid‑search malvertising (e.g., fake PuTTY & WinSCP ads, dominant loader delivery 2024–25) and "quishing" PDFs whose QR codes redirect victims to mobile OAuth login pages
- Consent‑/token‑phishing and Adversary‑in‑the‑Middle (AiTM) proxy kits that steal OAuth session cookies or proxy MFA (e.g., EvilProxy, Tycoon, Dadsec). These vectors bypass MFA by tricking users into granting access to rogue Azure AD / Google Workspace apps.
- Supply‑chain compromise of developer ecosystems:
  - malicious NPM / PyPI typosquat packages
  - poisoned GitHub Actions or CI/CD secrets exfiltration
  - container‑registry deception (imageless Docker Hub repos or `curl | bash` installers).
  - First contact often occurs on developer workstations.
- Mass‑exploited perimeter and edge‑device zero‑days (e.g., Ivanti Connect Secure (such as CVE-2023-46805, CVE-2024-21887), MOVEit Transfer (such as CVE-2023-34362), Citrix Bleed) enabling unauthenticated remote code execution **before** credentials come into play. Maintain a live "current CVEs exploited‑in‑the‑wild" table and apply virtual patching/WAF rules where upgrades lag.
- Cloud & Kubernetes misconfigurations:
  - exposed S3 buckets allowing upload‑then‑execute objects
  - SSRF into EC2 IMDSv1 or GCP metadata to steal instance credentials
  - open Kubernetes API/Argo CD dashboards, and leaked Azure SAS tokens that grant cross‑tenant data extraction.
  - OIDC Workload Identity Federation exposed: stolen GKE/EKS service‑account tokens grant cross‑cluster privilege escalation.
  - AWS STS credentials embedded in shareable URLs (`GetFederationToken`, presigned S3, etc.) leak temporary keys to attackers.
- Mobile initial‑access vectors:
  - smishing or WhatsApp/Telegram lures